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INFORMATION SYSTEMS AUDITS 


Information Systems (IS) audits conducted by the Legislative 
Audit Division are designed to assess controls in an IS 
environment. IS controls provide assurance over the accuracy, 
reliability, and integrity of the information processed. From 
the audit work, a determination is made as to whether controls 
exist and are operating as designed. We conducted this IS audit 
in accordance with generally accepted government auditing 
standards. Those standards require that we plan and perform 
the audit to obtain sufficient, appropriate evidence to provide a 
reasonable basis for our findings and conclusions based on our 
audit objectives. We believe that the evidence obtained provides 
a reasonable basis for our findings and conclusions based on our 
audit objectives. Members of the IS audit staff hold degrees in 
disciplines appropriate to the audit process. 


IS audits are performed as stand-alone audits of IS controls or 
in conjunction with financial-compliance and/or performance 
audits conducted by the office. These audits are done under the 
oversight of the Legislative Audit Committee which is a bicameral 
and bipartisan standing committee of the Montana Legislature. 
The committee consists of six members of the Senate and six 
members of the House of Representatives. 


AUDIT STAFE 
JEREMY VERHASSELT 


Reports can be found in electronic format at: 
http://leg.mt.gov/audit 


Deputy Legislative Auditors: 
Cindy Jorgenson 
Angus Maciver 


Tori Hunthausen, Legislative Auditor 
Deborah F. Butler, Legal Counsel 


December 2015 


The Legislative Audit Committee 
of the Montana State Legislature: 


We conducted an information systems audit of security over Montana Lottery 
operations. Montana law requires the Legislative Audit Division to perform a 
comprehensive security audit of the Montana Lottery every two years. We reviewed 
security controls within the 18 security areas defined in statute, including the Lottery’s 
computer systems, scratch and online tickets, and Lottery personnel and sales agents. 


This report contains five recommendations for strengthening controls in areas 
including background checks, investigations, lottery retailers, and building security. 


We wish to express our appreciation to the Montana Lottery for their cooperation and 
assistance during the audit. 


Respectfully submitted, 
// Tori Hunthausen 


Tori Hunthausen, CPA 
Legislative Auditor 


Room 160 ¢ State Capitol Building * PO Box 201705 * Helena, MT * 59620-1705 
Phone (406) 444-3122 * FAX (406) 444-9784 * E-Mail lad@mt.gov 
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Montana Lottery Security 
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MOontTANA LEGISLATIVE AUDIT DIVISION 


15DP-02 REPORT SUMMARY 


The Montana Lottery depends on strong security controls to maintain the 
integrity of its games, employees, and contractors. While security is 1n place 
in all statutorily required review areas, there remains an opportunity for 
improvement in how the Lottery conducts its security operations. 


Context 


The Montana Lottery (Lottery) was created in 
1987. The Lottery transferred $12.3 million 
to the general fund in fiscal year 2015. Its 
operations are funded by the sale of Montana 
Lottery tickets, which include scratch tickets; 
online tickets for drawing games such as 
Powerball and Montana Cash; and online 
instant-play games. Tickets are sold by licensed 
sales agents across the state, either in person 
as traditional retail counter transactions, or 
increasingly via vending-style, selfservice 
machines. These machines are typically located 
in supermarkets and taverns. 


Montana law requires the Legislative Audit 
Division to perform a comprehensive security 
audit of the Montana Lottery every two 
years. Auditors reviewed the 18 security 
areas as defined in §23-7-411, MCA. Testing 
included evaluation of Montana Lottery 
against Montana statute, Multi State Lottery 
Association (MUSL) regulations, Montana 
Lottery internal policy and procedures, and 
industry best practices. Audit staffalso reviewed 
lottery winner data to look for anomalies, such 
as multiple winners. 


Results 


Security controls are in place in the areas 
outlined by statute; however, we identified 
areas where controls can be strengthened. 
Areas for improvement include: 


¢ Creating and improving _ policy 
related to background checks and 
the ineligible player list. 


¢ Documenting investigative activities. 
¢ Analyzing retailer data. 

¢ — Reviewing lottery winner data. 

¢ Adding to retailer review. 


¢ — Improving building security. 


Recommendation Concurrence 


Source: Agency audit response included in 
final report. 


For a complete copy of the report (15DP-02) or for further information, contact the 
Legislative Audit Division at 406-444-3122; e-mail to lad@mt.gov; or check the web site at 
http://leg.mt.gov/audit 


Report Fraud, Waste, and Abuse to the Legislative Auditor's FRAUD HOTLINE 
Call toll-free 1-800-222-4446, or e-mail ladhotline@mt.gov. 
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Chapter | — Introduction and Background 


Introduction 


Following a statewide ballot referendum in 1986, the Montana Lottery (Lottery) was 
created in 1987. It generates revenue through the sale of various types of lottery tickets, 
and its net revenues are transferred to the state’s general fund. The Lottery transferred 
$12.3 million to the general fund and the Science Technology Engineering Math 
Healthcare (STEM) scholarship fund in fiscal year 2015, and in its history has generated 
over $217 million for various state programs. In fiscal year 2015, the Lottery had sales 
of $52.3 million. The Lottery is allocated to the Department of Administration, and 
its Director is appointed by the Governor and is a member of the Governor’s cabinet. 


Background 


A five-member independent Lottery Commission oversees the operations of the 
Lottery, sets policy, and determines the types and form of lottery games. Members 
serve staggered four-year terms. The Lottery’s Security Department includes a Director 
of Security and a Criminal Investigator. The issue of security, however, touches each 
area of the operation, as indicated by the mandated areas for biennial audit. 


Lottery tickets are sold at approximately 900 retail locations around Montana. 
Tickets fall into one of three categories: scratch tickets; online tickets (Powerball, 
etc.); and online instant-play games. Scratch and online drawing tickets are sold either 
over-the-counter in a traditional retail exchange or via a self-service vending-style 
machine. Online instant-play games, introduced in late 2011, are sold exclusively 
through self-service terminals installed in bars and casinos across the state. For any 
lottery game, retailers can validate and pay out any prizes up to $599. Prizes of $600 or 
more must be paid through the Lottery office in Helena, either in person or through 
the mail. 


The Lottery is a member of the Multi State Lottery Association (MUSL), a nonprofit 
association owned and operated by its member lotteries. Each member offers one 
or more lottery games administered by MUSL such as Powerball or Mega-millions. 
MUSL requires member lotteries to operate both a games management system (GMS) 
to manage online and scratch games, and an Internal Control System (ICS) as a check 
and balance against ticket sales recorded in the GMS. 


Montana’s GMS is currently operated by a third-party vendor. The vendor developed, 
maintains, and operates the GMS as well as installing and maintaining sales terminals 
and self-service vending machines at retailer locations throughout the state. Lottery 
personnel interface with the GMS through the Back Office System (BOS) to manage 
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operations. The ICS was developed and is maintained by a separate third party vendor. 
The ICS is required by MUSL. It records all lottery sales and drawing information 
and is used to ensure the GMS is reporting accurately. Lottery has recently renewed 
its contract with its GMS vendor, and will be replacing its current GMS with a new 
system in the next year. 


Audit Scope and Objective 


Statute requires the Legislative Audit Division (LAD) to perform a comprehensive 
security audit of the Lottery every two years and specifically defines areas to be 
included. The 18 security areas as defined in §23-7-411, MCA, include: 


¢ — Personnel security. 

¢ Lottery sales agent security. 

¢ Lottery contractor security. 

¢ Security of manufacturing operations of lottery contractors. 


¢ Security against ticket or chance counterfeiting and alteration and other 
means of fraudulently winning. 


¢ Security of drawings among entries or finalists. 

¢ Computer security. 

¢ Data communications security. 

¢ — Database security. 

¢ — Systems security. 

¢ Lottery premises and warehouse security. 

¢ = Security in distribution. 

¢ — Security involving validation and payment procedures. 

¢ — Security involving unclaimed prizes. 

¢ — Security aspects applicable to each particular lottery game. 
¢ — Security of drawings in games whenever winners are determined by drawings. 


¢ The completeness of security against locating winners in lottery games 
with preprinted winners by persons involved in their production, storage, 
distribution, administration, or sales. 


¢ — Any other aspects of security applicable to any particular lottery game and to 
the Lottery and its operations. 


Our objective was to determine whether the Lottery has controls in place over all 
18 areas and whether those controls function as expected. 


Methodology 


To accomplish our objective, audit staff reviewed work under each statutorily defined 
area. Work included interviews with agency and vendor personnel; observation of 
facilities and systems in place for Lottery and its vendors; testing of identified controls; 
review of agency and vendor policies, procedures and security records; and research of 
and contact with other states for comparative information. 


Mote specifically, testing included evaluating the Lottery against MUSL regulations, 
the Lottery’s internal security procedures, and industry best practices. Audit staff 
interviewed lottery personnel from Washington, Oregon, Colorado, and South Dakota. 
To ensure our objective was met, audit staff observed daily operations, interviewed key 
Lottery personnel, and determined if documentation was maintained and reviewed. 
The auditors reviewed employee and contractor procedures including background 
and/or credit checks. Employee and contractor access to facilities, systems, and data 
were also evaluated. Audit staff observed instant ticket stock distribution procedures 
and identified controls. Finally, the auditors reviewed computer systems and network 
configurations and system reports. 


Prior Audit Recommendations 


LAD conducted a similar audit in 2013, which resulted in three recommendations for 
strengthening security controls. The recommendations included: strengthening and 
monitoring compliance with the Employment of Relatives Policy, ensuring ongoing 
monitoring of security, and collecting and analyzing data regarding prize claims by 
licensed sales agents and their employees. The work for this audit included reviewing 
the action taken by the Lottery to implement these recommendations. Based on our 
review the Lottery fully implemented one recommendation, and partially implemented 


the remaining two recommendations. 


Audit staff was informed that changes were made to the office’s Relationship Policy 
to address segregation of duties issues found in the Employment of Relatives Policy. 
This policy was reviewed and audit staff determined that proper changes had been 
made. Lottery also presented documentation of its ongoing monitoring of employee 
compliance with this policy. For these reasons audit staff determined the Lottery had 
fully implemented the recommendation. 


The past audit identified issues relating to obtaining and reviewing data related to 
building access and security. Lottery staff were able to demonstrate their ability to 
operate the video and building access security systems. However, they had not 
established a process for reviewing building access data. In order to identify sales 
agent owner and employee winners the Lottery has added a question to its winner 
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claim form allowing the winner to identify themselves as a lottery sales agent owner 
or employee. In order to gather this information the Lottery changed administrative 
rule. The delay caused by the rule change led the Lottery to forgo adding this question 
into its electronic records until it implements its new computer system. This question 
was not always stamped on the current forms. The Lottery will be adding this question 
onto its new winner claim forms. However, the answer is still gathered on a hard 
copy form making it difficult to analyze. Because of the lack of data analysis on both 
building access and winners these recommendations are partially implemented. 


Management Memorandum 


A management memorandum is a verbal or written notification to the agency for 
issues that should be considered by management, but do not require a formal agency 
response. We issued a management memorandum to the Lottery regarding the addition 
of cameras to the warehouse area, check stock verification process, and internal control 
process. 


MUSL Disclosure Statement 


MUSL lottery drawings have recently been subject to fraudulent activity. A former 
information security director for MUSL has been convicted of rigging the Hot Lotto 
drawing in 2010. This person is currently facing additional felony charges for fixing 
drawings in 2005 and 2006 as well. While the Montana Lottery is part of MUSL, the 
security shortfalls leading to this fraudulent activity were not related to the Montana 
Lottery’s security. This was the result of security issues at MUSL’ office in Iowa. 


Conclusion 


Based on audit work conducted, security controls are in place in the areas that statute 
requires review. Audit staff did identify issues within these areas where controls need 
to be strengthened to improve security and help ensure the integrity of the Lottery’s 
operations. These issues are discussed in Chapter II. 


Chapter II — Findings and Recommendations 


Introduction 


Montana Lottery (Lottery) operations are governed by statute, Multi-State Lottery 
Association (MUSL) rules, state information technology policy, and internal security 
policies. Because we audit security controls on an ongoing basis, our work for this 
report focused on specific controls within the statutorily defined areas. This report 
contains five recommendations for strengthening security controls, including: 

¢ Creating and improving policy related to background checks and the 

ineligible player list. 
¢ Documenting investigative activities. 
¢ Analyzing retailer data. 


¢ Adding to retailer review. 


¢ Improving building security. 


Lottery Policy 


In order to maintain security and integrity the Lottery has procedures including 
background checks, maintaining an ineligible player list, and investigations. These 
functions are carried out by the security department at the Lottery. Each of these 
functions lacks policy describing specific detail related to their execution. The Lottery 
also has to deal with multiple contractors in order to provide customers with scratch 
and online games. It has a contractor for its online games and a contractor for its 
scratch ticket products. For these reasons, statute requires contractor's background 
information to be reviewed. The Lottery also includes these contracted employees on 
its ineligible players list. Involvement of these various groups and a lack of detailed 
policy increases the risk that these functions will not be carried out consistently. 


Missing Lottery Employee and 
Contractor Background Checks 


The assistant director for security is required by §23-7-212 (3a), MCA, to examine 
the background of all employees, sales agents, and contractors of the Lottery among 
others. The Lottery conducts background checks on select contracted employees and 
all Lottery employees. It also conducts annual follow-up checks on Lottery staff's 
Montana criminal records and driving records. The Lottery reviews the driving records 
of its online game contractor’s customer service technicians (CST) that operate vehicles 
in Montana. Lottery staff said gathering driving record information is a critical part 
of security because of the risks associated with having CSTs driving in Montana while 
representing the Lottery. The Lottery does not have any written policy describing how 
the CST background check processes should be conducted. 
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Audit staff found 14 cases in which background information that the Lottery reportedly 
gathers was missing. Lottery personnel did not have background check information 
for eight of the online game contractor's employees. There were background checks for 
three people who were no longer employed by the online game contractor. Lottery staff 
indicated that it was difficult to keep background information up-to-date on contractor 
staff. They said the online game contractor does not always send over background 
information on new employees. Per statute, it is the Lottery’s responsibility to gather 
this information, and thus it must be more proactive in gathering the information 
on contractor employees. There was also one Lottery employee who did not have a 
finger print background check on record. The Lottery does not gather background 
information on any of its scratch ticket contractor’s employees. Lottery staff believes 
the company is too large to gather background information on all employees. Audit 
staff agrees with this assessment, but in conversation with other state lotteries they 
indicated that they pick out a number of positions at their scratch ticket provider that 
have associated risks to the integrity of their lottery operations, and gather background 
information on those people. 


There were five of the online game contractor’s CSTs that did not have driving records 
checks on file. For three of these, Lottery staff indicated they were hired prior to the 
start of conducting driving record checks, and they had not been asked to retroactively 
get this information on all CSTs. Lottery policy does not establish when background 
information is to be gathered. Lottery also does not have an established review process 
for background check information which would help to identify missing information. 
If there was a periodic review conducted with its contractors they could establish what 


information was missing and what information they no longer needed. 


Ineligible Player List Not Updated 


Lottery maintains an ineligible player list as its means of keeping those groups of 
people barred from playing the lottery from claiming prizes. The issues audit staff 
noted with the ineligible players list relates very closely to those described above in the 
background check section. According to §23-7-302 (4), MCA, tickets may not be sold 
to or purchased by Lottery staff, gaming suppliers doing business with the Lottery, or 
those auditing the Lottery, among others. Anyone that mails in or cashes their prize 
at the Lottery has their information checked against the ineligible player list. This is 
a sound system to make sure that those who are barred from playing the lottery are 
not able to claim prizes. However, the Lottery does not have policy establishing who 
will be included on the list, or policy establishing a review process to ensure the list is 
up-to-date. 


The ineligible player list is maintained by having those organizations whose employees 
are on the list send in information on incoming and outgoing employees. Lottery 
gathers employee and family member information from its advertising agency, online 
ticket contractor, auditors, Lottery employees, and the multi-state lottery organization 
to place on the list. Lottery staff indicated they receive information on new employees 
that need to be added to the list from the various groups mentioned above. During 
review of the ineligible players list audit staff noted two employees from the online 
ticket contractor who were missing from the list. Lottery staff indicated that the 
missing information was due to them receiving the information on those employees, 
but failing to enter them into the ineligible player list. The Lottery’s lack of a review 
process allowed these missing employees to go unnoticed by Lottery staff. 


In addition the Lottery does not include the scratch ticket contractor employees on the 
ineligible player list. Per statute they fall under the same category as the online ticket 
contractor employees, however, Lottery staff believe that the scratch ticket contractor 
is too big of a company to include all of their employees on the list. While audit staff 
agree with this, like background checks, we believe the Lottery should identify a group 
of the scratch ticket contractor’s employees whose duties pose a risk to the Lottery and 
include them on the ineligible players list. 


ae 


RECOMMENDATION #1 


We recommend the Montana Lottery establish or update policy by: 


A. — Clarifying whom it will gather background check information on and what 
information will be gathered. 


B. Determining whom will be included on the ineligible player list and how 
that information will be gathered. 
C. Creating a periodic review of background check information and the 


ineligible player list. 


Dr 


Investigative Activity 


The Lottery has a criminal investigator on staff to look into complaints related to 
lottery operations. In criminal cases the investigator will turn over any information 
to law enforcement and assist them in ways such as tracking stolen tickets through 
the Lottery’s gaming system. The investigator will also look into complaints against 
Lottery sales agents. The investigator documents and maintains investigative activity 
in a hard copy file. An incident report form is completed for each investigation. 
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Audit staff reviewed a sample of investigation files from 2014 and 2015. During the 
review audit staff noticed inconsistencies in documentation. Lottery staff indicated 
this was related to the unique nature of each complaint. However it was difficult in 
some cases to get a clear understanding of what steps were taken, or if any ongoing 
work was occurring with the case. Lottery does not have policy and procedure for the 
investigation process. Because of this it was difficult to determine if the investigator’s 
actions were appropriate in some of the cases we reviewed. For example, in one case a 
lottery sales agent had made a complaint against another lottery sales agent. ‘The case 
was resolved by the district manager of the accused store reviewing their own security 
footage, and indicating the alleged incident did not happen. Lottery staff indicated 
they only review video if the case involves felony charges or an arrest. There were no 
charges or arrests in this case. Due to the circumstances it seemed appropriate for 
Lottery staff to review the footage in this case, rather than relying on the accused sales 
agent. 


The appropriate actions to be taken in cases like this could be cleared up through 
policy and procedure. Having an established policy for documentation of investigation 
also allows the Lottery to conduct more effective oversight of these activities. Providing 
clear expectations throughout the investigative process allows the Lottery to effectively 
supervise staff and monitor the quality of investigative documentation. 
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RECOMMENDATION #2 


We recommend the Montana Lottery establish policy and procedure for 
conducting and documenting investigative activities. 


TO 


Lottery Sales Agents 


The Lottery relies on its sales agents (retailers) across the state to sell its lottery products. 
When lottery tickets are distributed to sales agents they must first be activated before 
they can be sold. The Lottery automatically withdraws funds owed by sales agents for 
scratch tickets they have received regardless if the tickets have been sold or not. Their 
gaming system tracks the sales of online tickets. Per statute, lottery sales agents are 
required to keep records of lottery ticket sales. They also confirm winning tickets of 
any amounts if asked by a customer. These sales agent activities carry with them risks 
that will be outlined in this section. 


Lottery Sales Agent Winners 


A common theft issue identified by surrounding states is retail clerks telling customers 
their lottery tickets are not winners when in fact they are. Clerks can then cash the 
tickets themselves after taking them from the customers. ‘The Lottery gathers the store 
ownet/key person information it would need to compare with the winners list as part 
of its retail license application process. By comparing these two sets of information the 
Lottery could identify sales agents that win a disproportionate amount of time. Other 
states indicated they use this type of information to issue warnings to sales agents, 
or to conduct sting operations with law enforcement to try to identify inappropriate 
and/or theft by sales agents. Lottery security personnel indicated that even if they 
identified theft, sting operations are not possible due to costs and lack of peace officer 
status. Other states indicate the cost of a book of tickets used in sting operations is 
approximately $2,000 for a pack of 100-200 tickets depending on the game. One state 
with limited law enforcement powers indicated they do not have the power to make 
arrests so they conduct these operations in conjunction with local law enforcement. 
The Lottery’s lack of proactive steps taken to identify or prevent potential theft by sales 
agents poses a risk to the integrity of the lottery games. 


As discussed in Chapter I, it was recommended in the past audit that Lottery start 
gathering data on lottery sales agent winners to try and identify cases where retailer 
theft may be happening. As a result, the Lottery added a question onto its winner 
claim form asking if the winner is a lottery sales agent store owner or employee. It is 
up to the winner to volunteer this information, which in the case of sales agent theft 
could incriminate them. ‘The information is also in hard copy form making it difficult 
to analyze. 


As part of audit work, we compared a list of store owners provided by the Lottery to 
its winner lists for 2013 and 2014. This was an attempt to identify suspicious patterns 
of wins involving retail sales agents. The Lottery was only able to give a limited list of 
lottery sales agent store owners to audit staff. There were many cases in which the store 
was part of a larger corporation, and thus the owner name was the corporation and not 
an individual. Audit staff also identified cases in which the suspicious pattern of wins 
could not be associated with a lottery sales agent store owner on the list, but still raised 
concern. Table 1 (see page 10) represents the total winnings for those individuals who 
won four or more times for a total of more than $10,000 in 2013 and 2014. 
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Table 1 
Winners of Four or More Times for Over $10,000 in 2013 and 2014 


Winner Dates of Wins Number of Wins Total Winnings 


Winner #1 January - December 2013 4 $10,874.00 


Winner #2 February - June 2013 4 $13,479.00 


Winner #3 January - December 2013 4 $15,903.00 


Winner #4 July 2013 - December 2014 15 $14,758.00 


Winner #5 March - October 2014 $29,262.00 


Lottery Sales 
Agent Winner #1 


Total $106,475.30 


January - December 2014 $22,199.30 


Source: Compiled by the Legislative Audit Division from Montana Lottery records. 


Winner #4 was broken out in Table 2 to illustrate how frequently some individuals 


are collecting substantial lottery prizes. There is 
Table 2 


not enough information available to determine ; ozs : 
Winner #4’s Individual Lottery Wins 


Winner #4 legitimately won 15 times in 2 years. 


Prize 
Amount 


Winner #4 July 2013 $ 1,148 
Winner #4 August 2013 735 
Winner #4 September 2013 2,047 
Winner #4 September 2013 1,218 
Winner #4 November 2013 703 
Winner #4 January 2014 1,384 
Winner #4 February 2014 950 
Winner #4 June 2014 1,059 
Winner #4 August 2014 816 
Winner #4 September 2014 732 
Winner #4 September 2014 1,076 
Winner #4 September 2014 713 
Winner #4 October 2014 721 
Winner #4 October 2014 197 
Winner #4 December 2014 659 
Total $14,758 


This individual won the jackpot prize for the game Winner Date of Win 
Three Card Poker 13 times and the jackpot prize 


for Shake A Day twice. According to the Lottery’s 


website the odds of winning the jackpot for Three 
Card Poker are 1:2,400, and 1:5,000 for Shake A 
Day. Based on these odds, this individual would 
have to have played Three Card Poker over 30,000 
times in 2013 through 2014 in order to have a 50 
percent probability of winning the jackpot 13 or 


more times. 


An alternative scenario could be that this is a case 


of a sales agent owner or employee engaging in a 


practice called discounting. Discounting is when 


someone, most often a sales agent or retail location 


employee, agrees to buy a winning ticket from a 
customer for less than face value. The customer can 


then avoid having child support or other payments 


owed to the state taken out of the winnings. When | Source: Compiled by the Legislative Audit 
Division from Montana Lottery records. 


presented with the examples of the analysis in 


these tables, Lottery staff dismissed the identified cases as discounting, or the result 
of frequent play. Lottery staff indicated discounting is not against the law, and thus 
they do nothing to identify or prevent it. If the Lottery’s security personnel conducted 
reviews to identify situations like those presented in Tables 1 and 2, they and the 
Lottery Commission could then determine what actions are appropriate to address 
these situations. Tools available to the Lottery are the commission’s rule-making 
authority, and the ability to suspend or revoke sales agent licenses. 


Ne 


RECOMMENDATION #3 


We recommend the Montana Lottery: 


A. Develop a lottery sales agent store owner/key person list from the 
information provided to the Lottery during the retail store license 
application process. 


B. Gather and analyze data on lottery sales agent winners by comparing 
winners lists against a lottery sales agent owner/key person list. 


C. Based on the analysis, document any identified anomalies and related 
actions taken. 


Retailer Security Assessment Reporting 


The Lottery currently conducts random retailer visits as a check on its security controls. 
During these visits it completes a security assessment report on lottery sales agents. 
This assessment does not include questions related to maintaining the Lottery’s sales 
records. However, per §23-7-301(11), MCA, sales agents are required to keep these 
records. The Lottery has no policy addressing compliance with this law. Lottery staff 
noted a case in which lottery tickets were stolen from a sales agent. The theft was 
eventually discovered when the Lottery performed a sweep of the sales agent’s account 
and the sales agent complained about being overcharged for ticket sales. The Lottery 
verified the sales leading the sales agent to discover the theft and press charges against 
an employee. Lottery staff indicated incidents such as this are out of their control, and 
the responsibility of the sales agent to prevent. However, we believe the Lottery could 
take additional steps to assist sales agents in preventing these incidents. 


Other states indicated they proactively review sales data every day in order to look for 
anomalies. One state receives sales reports daily and compare those to previous sales 
data. If they see a large spike in sales from a particular sales agent they will contact 
them to make sure there is a reason for this spike. If there is not a justifiable reason 
for the sales numbers this call will alert the sales agent which allows them to review 
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security video footage to look for theft. This proactive response helps to avoid theft of 
lottery tickets which can have a negative effect on the integrity of the Lottery. While 
the Lottery may not directly lose money from ticket theft there is risk stolen tickets will 
win a prize, thus taking the possibility away from those who legally purchased tickets. 
The Lottery indicated its marketing department does monitor sales, but we believe 
procedures could be strengthened by having security personnel be more proactive in 
looking for anomalies and educating retailers on the requirements of the law with 
regards to record keeping. 


RECOMMENDATION #4 


We recommend the Montana Lottery: 


A. Update its retailer security assessment to include record-keeping 
practices. 


B. Update policy by establishing a review of lottery sales agents’ sales in 
order to identify anomalies and follow up as necessary. 


SC 


Building Security 


The Lottery has an access system that records each time a door is accessed and whose 
card was used to access it. In this system each employee is assigned a level of access and 
an access card that gets them through certain doors in the building. If an employee 
does not have access to a door, they cannot gain access through it; however, if they 
attempt to access the door, the system will log the attempt. Each door is numbered and 
is described in the system. Lottery staff has the ability to review access of each card 
holder through a system report that logs each access attempt. 


The doors of the Lottery facility currently have incorrect descriptions in the access 
system making it difficult for Lottery staff to determine who is accessing what areas 
of the building. In the event Lottery staff wanted to review someone’s access in the 
building, it would be difficult to determine if access was appropriate or inappropriate. 
Because Lottery staff do not conduct reviews of building access to determine if there are 
inappropriate access attempts made by staff, they did not notice the error in the system. 
Lottery staff indicated they do not look at this information unless there is a security 
concern, or the information is requested. Other states indicated they commonly review 
access to look for any anomalies. This allows them to be proactive in looking for access 
issues before it develops into a potential security issue. In order to properly determine 
access in the future, the Lottery needs to correct the door access labels within the 
system. With proper labels for each door they would be able to correctly identify access 
throughout the building. 


The Lottery also has the ability to generate a report showing every active card in the 
system and who they are assigned to. When audit staff reviewed this report it was 
determined there were three active cards that did not have names associated with them. 
One of the cards turned out to be a member of the audit staff's in which a system error 
did not apply their name to the card. Lottery staff indicated they did not know who 
the two remaining cards were assigned to. Staff indicated they were two of the first 
cards activated, and could belong to the people who set the system up originally. This 
means they have had two active, missing access cards to Lottery facilities since the 
system was installed. 


Ms 


RECOMMENDATION #5 


We recommend the Montana Lottery: 
A. Correct door labels within the access system. 


B. Establish a periodic review of access including building access, 
assigned access, and active access cards. 
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December 21, 2015 

ome py ha cr BY 
Ms. Tori Hunthausen REC | than as ot 
Legislative Auditor ; 
Office of the Legislative Auditor DEC 3 4 20% 
State Capital Building LEGISL ETS AUDIT ON. 


Helena, MT 59620-1705 
RE: Response to 2015 Montana Lottery Security Audit 
Dear Ms. Hunthanusen: 


Thank you for the opportunity to respond to the report on Montana Lottery Security 
Audit, dated December 21, 2015. 


The Montana Lottery concurs with the audit findings and recommendations and will take 
the necessary action to comply with all recommendations. 


The following is our response and action plan to specific recommendations of the audit: 
RECOMMENDATION #1 
We recommend the Montana Lottery establish or update policy by: 


A. Clarifying whom it will gather background check information on and what 
information will be gathered. 

B. Determining whom will be included on the ineligible player list and how that 
information will be gathered. 

C. Creating a periodic review of background check information and the 
ineligible player lists. 


The Montana Lottery concurs with the sections of this finding and will update its policy 
and monitoring procedures regarding the conclusions noted. 


RECOMMENDATION #2 


We recommend the Montana Lottery establish policy and procedure for conducting 
and documenting investigative activities. 


The Montana Lottery concurs with this finding and will update its policy and procedures 
regarding the investigative activities. 


montanalottery.com 


RECOMMENDATION #3 
We recommend the Montana Lottery: 


A. Develop a lottery sales agent store owner/Kkey person list from the 
information provided to the lottery during the retail store license application 
process. 

B. Gather and analyze data on lottery sales agent winners by comparing winner 
lists against a lottery sales agent owner/key person list. 

C. Based on the analysis, document any identified anomalies and related actions 
taken. 


The Montana Lottery concurs with this finding. Moving forward, the Montana Lottery 
will develop cross-referencing reports on our new system that will link winner claim 
information to retail owners. As recommended, these reports will also be examined, 
along with other collaboration information such as a victim complaint, to identify unusual 
activity. 


RECOMMENDATION #4 
We recommend the Montana Lottery: 


A. Update its retailer security assessment to include record-keeping practices. 
B. Update policy by establishing a review of lottery sales agents’ sales in order 
to identify anomalies and follow up as necessary. 


The Montana Lottery concurs with this finding. Normally, this is accomplished at the 
point of licensing and contracting with a retailer and by sales personnel around the state. 
However, going forward, the security section will address requirements when conducting 
security assessments. 


It should also be noted that the example provided in the report does not provide a clear 
understanding of events surrounding the theft case identified. Specifically, this case 
followed a normal pattern that is seen when analyzing financial theft, in that the thief 
started out small and then gradually progressed over a long period of time to larger and 
larger actions. Eventually, the owner of the establishment noticed anomalies when 
balancing their Lottery accounts. 


RECOMMENDATION #5 


We recommend the Montana Lottery: 


A. Correct door labels within the access system. 


B. Establish a periodic review of access including building access, assigned 
access and active access cards. 


The Montana Lottery concurs with the sections of this finding and will update the access 
system and established policy and procedures regarding the conclusions noted. 


Thank you again for the opportunity to respond. Your team established a good rapport 
with our office and showed strong professional knowledge and personal professionalism 
while working in our area. Please express my appreciation of these facts to them for their 
efforts. 


Sincerely, 


Montana Lottery 
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